This Nominated Discussion Article is based on the post "Automatically blocking IP's after a certain number of Global Protect pre-login failures? " by @RSteffens and answered by Cyber Elite @BPry and @usanitary. Read on if you are curious about how protecting your GP from brute force attacks!
I've just recently started getting blasted with Global Protect portal pre-login failures, coming from a bunch of illegitimate IP's. They all fail because I use certificate authentication and the client cert is not present on the attacker's device. I have have the NGF set up to email me every time this happens and I'm getting just blasted with emails. I only use Global Protect for remote management.
See screenshot of some of the IP's attempting to gain access. I keep blocking IP's but then the attacker uses new ones.
My question is, is there a way to automatically block IP's after a certain number of Global Protect pre-login failures?
Automatic remediation of failed logins is something that I always script through the API. The easiest way to do that is creating a custom report on the firewall and using the API to collect the report on a scheduled basis. Have the script parse the IPs that are failing to login and add it to an EDL that you have configured to on the firewall and create a security rulebase entry to drop all traffic from any IP address located within the EDL.
I am new to scripting and the API. Where do you go on the firewall for this? I have found this type of traffic and would sure like to get it blocked a different way then manually blocking them one at a time.
Here's an article that describes the steps to configure a security policy to block brute force attacks (excessive number of login attempts in a sort period) on the GlobalProtect Portal page without having to know any scripting:
Detecting Brute Force Attack on GlobalProtect Portal Page - Knowledge Base - Palo Alto Networks
